1/* 2 * TLS v1.0/v1.1/v1.2 client (RFC 2246, RFC 4346, RFC 5246) 3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/sha1.h" 13#include "crypto/tls.h" 14#include "x509v3.h" 15#include "tlsv1_common.h" 16#include "tlsv1_record.h" 17#include "tlsv1_client.h" 18#include "tlsv1_client_i.h" 19 20/* TODO: 21 * Support for a message fragmented across several records (RFC 2246, 6.2.1) 22 */ 23 24 25void tls_alert(struct tlsv1_client *conn, u8 level, u8 description) 26{ 27 conn->alert_level = level; 28 conn->alert_description = description; 29} 30 31 32void tlsv1_client_free_dh(struct tlsv1_client *conn) 33{ 34 os_free(conn->dh_p); 35 os_free(conn->dh_g); 36 os_free(conn->dh_ys); 37 conn->dh_p = conn->dh_g = conn->dh_ys = NULL; 38} 39 40 41int tls_derive_pre_master_secret(u8 *pre_master_secret) 42{ 43 WPA_PUT_BE16(pre_master_secret, TLS_VERSION); 44 if (os_get_random(pre_master_secret + 2, 45 TLS_PRE_MASTER_SECRET_LEN - 2)) 46 return -1; 47 return 0; 48} 49 50 51int tls_derive_keys(struct tlsv1_client *conn, 52 const u8 *pre_master_secret, size_t pre_master_secret_len) 53{ 54 u8 seed[2 * TLS_RANDOM_LEN]; 55 u8 key_block[TLS_MAX_KEY_BLOCK_LEN]; 56 u8 *pos; 57 size_t key_block_len; 58 59 if (pre_master_secret) { 60 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: pre_master_secret", 61 pre_master_secret, pre_master_secret_len); 62 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 63 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 64 TLS_RANDOM_LEN); 65 if (tls_prf(conn->rl.tls_version, 66 pre_master_secret, pre_master_secret_len, 67 "master secret", seed, 2 * TLS_RANDOM_LEN, 68 conn->master_secret, TLS_MASTER_SECRET_LEN)) { 69 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive " 70 "master_secret"); 71 return -1; 72 } 73 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: master_secret", 74 conn->master_secret, TLS_MASTER_SECRET_LEN); 75 } 76 77 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 78 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN); 79 key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len); 80 if (conn->rl.tls_version == TLS_VERSION_1) 81 key_block_len += 2 * conn->rl.iv_size; 82 if (tls_prf(conn->rl.tls_version, 83 conn->master_secret, TLS_MASTER_SECRET_LEN, 84 "key expansion", seed, 2 * TLS_RANDOM_LEN, 85 key_block, key_block_len)) { 86 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block"); 87 return -1; 88 } 89 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: key_block", 90 key_block, key_block_len); 91 92 pos = key_block; 93 94 /* client_write_MAC_secret */ 95 os_memcpy(conn->rl.write_mac_secret, pos, conn->rl.hash_size); 96 pos += conn->rl.hash_size; 97 /* server_write_MAC_secret */ 98 os_memcpy(conn->rl.read_mac_secret, pos, conn->rl.hash_size); 99 pos += conn->rl.hash_size; 100 101 /* client_write_key */ 102 os_memcpy(conn->rl.write_key, pos, conn->rl.key_material_len); 103 pos += conn->rl.key_material_len; 104 /* server_write_key */ 105 os_memcpy(conn->rl.read_key, pos, conn->rl.key_material_len); 106 pos += conn->rl.key_material_len; 107 108 if (conn->rl.tls_version == TLS_VERSION_1) { 109 /* client_write_IV */ 110 os_memcpy(conn->rl.write_iv, pos, conn->rl.iv_size); 111 pos += conn->rl.iv_size; 112 /* server_write_IV */ 113 os_memcpy(conn->rl.read_iv, pos, conn->rl.iv_size); 114 } else { 115 /* 116 * Use IV field to set the mask value for TLS v1.1. A fixed 117 * mask of zero is used per the RFC 4346, 6.2.3.2 CBC Block 118 * Cipher option 2a. 119 */ 120 os_memset(conn->rl.write_iv, 0, conn->rl.iv_size); 121 } 122 123 return 0; 124} 125 126 127/** 128 * tlsv1_client_handshake - Process TLS handshake 129 * @conn: TLSv1 client connection data from tlsv1_client_init() 130 * @in_data: Input data from TLS peer 131 * @in_len: Input data length 132 * @out_len: Length of the output buffer. 133 * @appl_data: Pointer to application data pointer, or %NULL if dropped 134 * @appl_data_len: Pointer to variable that is set to appl_data length 135 * @need_more_data: Set to 1 if more data would be needed to complete 136 * processing 137 * Returns: Pointer to output data, %NULL on failure 138 */ 139u8 * tlsv1_client_handshake(struct tlsv1_client *conn, 140 const u8 *in_data, size_t in_len, 141 size_t *out_len, u8 **appl_data, 142 size_t *appl_data_len, int *need_more_data) 143{ 144 const u8 *pos, *end; 145 u8 *msg = NULL, *in_msg = NULL, *in_pos, *in_end, alert, ct; 146 size_t in_msg_len; 147 int no_appl_data; 148 int used; 149 150 if (need_more_data) 151 *need_more_data = 0; 152 153 if (conn->state == CLIENT_HELLO) { 154 if (in_len) 155 return NULL; 156 return tls_send_client_hello(conn, out_len); 157 } 158 159 if (conn->partial_input) { 160 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 161 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 162 "memory for pending record"); 163 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 164 TLS_ALERT_INTERNAL_ERROR); 165 goto failed; 166 } 167 wpabuf_put_data(conn->partial_input, in_data, in_len); 168 in_data = wpabuf_head(conn->partial_input); 169 in_len = wpabuf_len(conn->partial_input); 170 } 171 172 if (in_data == NULL || in_len == 0) 173 return NULL; 174 175 pos = in_data; 176 end = in_data + in_len; 177 in_msg = os_malloc(in_len); 178 if (in_msg == NULL) 179 return NULL; 180 181 /* Each received packet may include multiple records */ 182 while (pos < end) { 183 in_msg_len = in_len; 184 used = tlsv1_record_receive(&conn->rl, pos, end - pos, 185 in_msg, &in_msg_len, &alert); 186 if (used < 0) { 187 wpa_printf(MSG_DEBUG, "TLSv1: Processing received " 188 "record failed"); 189 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 190 goto failed; 191 } 192 if (used == 0) { 193 struct wpabuf *partial; 194 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 195 partial = wpabuf_alloc_copy(pos, end - pos); 196 wpabuf_free(conn->partial_input); 197 conn->partial_input = partial; 198 if (conn->partial_input == NULL) { 199 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 200 "allocate memory for pending " 201 "record"); 202 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 203 TLS_ALERT_INTERNAL_ERROR); 204 goto failed; 205 } 206 os_free(in_msg); 207 if (need_more_data) 208 *need_more_data = 1; 209 return NULL; 210 } 211 ct = pos[0]; 212 213 in_pos = in_msg; 214 in_end = in_msg + in_msg_len; 215 216 /* Each received record may include multiple messages of the 217 * same ContentType. */ 218 while (in_pos < in_end) { 219 in_msg_len = in_end - in_pos; 220 if (tlsv1_client_process_handshake(conn, ct, in_pos, 221 &in_msg_len, 222 appl_data, 223 appl_data_len) < 0) 224 goto failed; 225 in_pos += in_msg_len; 226 } 227 228 pos += used; 229 } 230 231 os_free(in_msg); 232 in_msg = NULL; 233 234 no_appl_data = appl_data == NULL || *appl_data == NULL; 235 msg = tlsv1_client_handshake_write(conn, out_len, no_appl_data); 236 237failed: 238 os_free(in_msg); 239 if (conn->alert_level) { 240 wpabuf_free(conn->partial_input); 241 conn->partial_input = NULL; 242 conn->state = FAILED; 243 os_free(msg); 244 msg = tlsv1_client_send_alert(conn, conn->alert_level, 245 conn->alert_description, 246 out_len); 247 } else if (msg == NULL) { 248 msg = os_zalloc(1); 249 *out_len = 0; 250 } 251 252 if (need_more_data == NULL || !(*need_more_data)) { 253 wpabuf_free(conn->partial_input); 254 conn->partial_input = NULL; 255 } 256 257 return msg; 258} 259 260 261/** 262 * tlsv1_client_encrypt - Encrypt data into TLS tunnel 263 * @conn: TLSv1 client connection data from tlsv1_client_init() 264 * @in_data: Pointer to plaintext data to be encrypted 265 * @in_len: Input buffer length 266 * @out_data: Pointer to output buffer (encrypted TLS data) 267 * @out_len: Maximum out_data length 268 * Returns: Number of bytes written to out_data, -1 on failure 269 * 270 * This function is used after TLS handshake has been completed successfully to 271 * send data in the encrypted tunnel. 272 */ 273int tlsv1_client_encrypt(struct tlsv1_client *conn, 274 const u8 *in_data, size_t in_len, 275 u8 *out_data, size_t out_len) 276{ 277 size_t rlen; 278 279 wpa_hexdump_key(MSG_MSGDUMP, "TLSv1: Plaintext AppData", 280 in_data, in_len); 281 282 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_APPLICATION_DATA, 283 out_data, out_len, in_data, in_len, &rlen) < 0) { 284 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 285 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 286 TLS_ALERT_INTERNAL_ERROR); 287 return -1; 288 } 289 290 return rlen; 291} 292 293 294/** 295 * tlsv1_client_decrypt - Decrypt data from TLS tunnel 296 * @conn: TLSv1 client connection data from tlsv1_client_init() 297 * @in_data: Pointer to input buffer (encrypted TLS data) 298 * @in_len: Input buffer length 299 * @need_more_data: Set to 1 if more data would be needed to complete 300 * processing 301 * Returns: Decrypted data or %NULL on failure 302 * 303 * This function is used after TLS handshake has been completed successfully to 304 * receive data from the encrypted tunnel. 305 */ 306struct wpabuf * tlsv1_client_decrypt(struct tlsv1_client *conn, 307 const u8 *in_data, size_t in_len, 308 int *need_more_data) 309{ 310 const u8 *in_end, *pos; 311 int used; 312 u8 alert, *out_pos, ct; 313 size_t olen; 314 struct wpabuf *buf = NULL; 315 316 if (need_more_data) 317 *need_more_data = 0; 318 319 if (conn->partial_input) { 320 if (wpabuf_resize(&conn->partial_input, in_len) < 0) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 322 "memory for pending record"); 323 alert = TLS_ALERT_INTERNAL_ERROR; 324 goto fail; 325 } 326 wpabuf_put_data(conn->partial_input, in_data, in_len); 327 in_data = wpabuf_head(conn->partial_input); 328 in_len = wpabuf_len(conn->partial_input); 329 } 330 331 pos = in_data; 332 in_end = in_data + in_len; 333 334 while (pos < in_end) { 335 ct = pos[0]; 336 if (wpabuf_resize(&buf, in_end - pos) < 0) { 337 alert = TLS_ALERT_INTERNAL_ERROR; 338 goto fail; 339 } 340 out_pos = wpabuf_put(buf, 0); 341 olen = wpabuf_tailroom(buf); 342 used = tlsv1_record_receive(&conn->rl, pos, in_end - pos, 343 out_pos, &olen, &alert); 344 if (used < 0) { 345 wpa_printf(MSG_DEBUG, "TLSv1: Record layer processing " 346 "failed"); 347 goto fail; 348 } 349 if (used == 0) { 350 struct wpabuf *partial; 351 wpa_printf(MSG_DEBUG, "TLSv1: Need more data"); 352 partial = wpabuf_alloc_copy(pos, in_end - pos); 353 wpabuf_free(conn->partial_input); 354 conn->partial_input = partial; 355 if (conn->partial_input == NULL) { 356 wpa_printf(MSG_DEBUG, "TLSv1: Failed to " 357 "allocate memory for pending " 358 "record"); 359 alert = TLS_ALERT_INTERNAL_ERROR; 360 goto fail; 361 } 362 if (need_more_data) 363 *need_more_data = 1; 364 return buf; 365 } 366 367 if (ct == TLS_CONTENT_TYPE_ALERT) { 368 if (olen < 2) { 369 wpa_printf(MSG_DEBUG, "TLSv1: Alert " 370 "underflow"); 371 alert = TLS_ALERT_DECODE_ERROR; 372 goto fail; 373 } 374 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 375 out_pos[0], out_pos[1]); 376 if (out_pos[0] == TLS_ALERT_LEVEL_WARNING) { 377 /* Continue processing */ 378 pos += used; 379 continue; 380 } 381 382 alert = out_pos[1]; 383 goto fail; 384 } 385 386 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 387 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected content type " 388 "0x%x when decrypting application data", 389 pos[0]); 390 alert = TLS_ALERT_UNEXPECTED_MESSAGE; 391 goto fail; 392 } 393 394 wpabuf_put(buf, olen); 395 396 pos += used; 397 } 398 399 wpabuf_free(conn->partial_input); 400 conn->partial_input = NULL; 401 return buf; 402 403fail: 404 wpabuf_free(buf); 405 wpabuf_free(conn->partial_input); 406 conn->partial_input = NULL; 407 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, alert); 408 return NULL; 409} 410 411 412/** 413 * tlsv1_client_global_init - Initialize TLSv1 client 414 * Returns: 0 on success, -1 on failure 415 * 416 * This function must be called before using any other TLSv1 client functions. 417 */ 418int tlsv1_client_global_init(void) 419{ 420 return crypto_global_init(); 421} 422 423 424/** 425 * tlsv1_client_global_deinit - Deinitialize TLSv1 client 426 * 427 * This function can be used to deinitialize the TLSv1 client that was 428 * initialized by calling tlsv1_client_global_init(). No TLSv1 client functions 429 * can be called after this before calling tlsv1_client_global_init() again. 430 */ 431void tlsv1_client_global_deinit(void) 432{ 433 crypto_global_deinit(); 434} 435 436 437/** 438 * tlsv1_client_init - Initialize TLSv1 client connection 439 * Returns: Pointer to TLSv1 client connection data or %NULL on failure 440 */ 441struct tlsv1_client * tlsv1_client_init(void) 442{ 443 struct tlsv1_client *conn; 444 size_t count; 445 u16 *suites; 446 447 conn = os_zalloc(sizeof(*conn)); 448 if (conn == NULL) 449 return NULL; 450 451 conn->state = CLIENT_HELLO; 452 453 if (tls_verify_hash_init(&conn->verify) < 0) { 454 wpa_printf(MSG_DEBUG, "TLSv1: Failed to initialize verify " 455 "hash"); 456 os_free(conn); 457 return NULL; 458 } 459 460 count = 0; 461 suites = conn->cipher_suites; 462 suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256; 463 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256; 464 suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; 465 suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA; 466 suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256; 467 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256; 468 suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; 469 suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA; 470 suites[count++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; 471 suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; 472 suites[count++] = TLS_RSA_WITH_RC4_128_SHA; 473 suites[count++] = TLS_RSA_WITH_RC4_128_MD5; 474 conn->num_cipher_suites = count; 475 476 conn->rl.tls_version = TLS_VERSION; 477 478 return conn; 479} 480 481 482/** 483 * tlsv1_client_deinit - Deinitialize TLSv1 client connection 484 * @conn: TLSv1 client connection data from tlsv1_client_init() 485 */ 486void tlsv1_client_deinit(struct tlsv1_client *conn) 487{ 488 crypto_public_key_free(conn->server_rsa_key); 489 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 490 tlsv1_record_change_write_cipher(&conn->rl); 491 tlsv1_record_change_read_cipher(&conn->rl); 492 tls_verify_hash_free(&conn->verify); 493 os_free(conn->client_hello_ext); 494 tlsv1_client_free_dh(conn); 495 tlsv1_cred_free(conn->cred); 496 wpabuf_free(conn->partial_input); 497 x509_certificate_chain_free(conn->server_cert); 498 os_free(conn); 499} 500 501 502/** 503 * tlsv1_client_established - Check whether connection has been established 504 * @conn: TLSv1 client connection data from tlsv1_client_init() 505 * Returns: 1 if connection is established, 0 if not 506 */ 507int tlsv1_client_established(struct tlsv1_client *conn) 508{ 509 return conn->state == ESTABLISHED; 510} 511 512 513/** 514 * tlsv1_client_prf - Use TLS-PRF to derive keying material 515 * @conn: TLSv1 client connection data from tlsv1_client_init() 516 * @label: Label (e.g., description of the key) for PRF 517 * @server_random_first: seed is 0 = client_random|server_random, 518 * 1 = server_random|client_random 519 * @out: Buffer for output data from TLS-PRF 520 * @out_len: Length of the output buffer 521 * Returns: 0 on success, -1 on failure 522 */ 523int tlsv1_client_prf(struct tlsv1_client *conn, const char *label, 524 int server_random_first, u8 *out, size_t out_len) 525{ 526 u8 seed[2 * TLS_RANDOM_LEN]; 527 528 if (conn->state != ESTABLISHED) 529 return -1; 530 531 if (server_random_first) { 532 os_memcpy(seed, conn->server_random, TLS_RANDOM_LEN); 533 os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, 534 TLS_RANDOM_LEN); 535 } else { 536 os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN); 537 os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random, 538 TLS_RANDOM_LEN); 539 } 540 541 return tls_prf(conn->rl.tls_version, 542 conn->master_secret, TLS_MASTER_SECRET_LEN, 543 label, seed, 2 * TLS_RANDOM_LEN, out, out_len); 544} 545 546 547/** 548 * tlsv1_client_get_cipher - Get current cipher name 549 * @conn: TLSv1 client connection data from tlsv1_client_init() 550 * @buf: Buffer for the cipher name 551 * @buflen: buf size 552 * Returns: 0 on success, -1 on failure 553 * 554 * Get the name of the currently used cipher. 555 */ 556int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf, 557 size_t buflen) 558{ 559 char *cipher; 560 561 switch (conn->rl.cipher_suite) { 562 case TLS_RSA_WITH_RC4_128_MD5: 563 cipher = "RC4-MD5"; 564 break; 565 case TLS_RSA_WITH_RC4_128_SHA: 566 cipher = "RC4-SHA"; 567 break; 568 case TLS_RSA_WITH_DES_CBC_SHA: 569 cipher = "DES-CBC-SHA"; 570 break; 571 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: 572 cipher = "DES-CBC3-SHA"; 573 break; 574 case TLS_DHE_RSA_WITH_DES_CBC_SHA: 575 cipher = "DHE-RSA-DES-CBC-SHA"; 576 break; 577 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: 578 cipher = "DHE-RSA-DES-CBC3-SHA"; 579 break; 580 case TLS_DH_anon_WITH_RC4_128_MD5: 581 cipher = "ADH-RC4-MD5"; 582 break; 583 case TLS_DH_anon_WITH_DES_CBC_SHA: 584 cipher = "ADH-DES-SHA"; 585 break; 586 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: 587 cipher = "ADH-DES-CBC3-SHA"; 588 break; 589 case TLS_RSA_WITH_AES_128_CBC_SHA: 590 cipher = "AES-128-SHA"; 591 break; 592 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: 593 cipher = "DHE-RSA-AES-128-SHA"; 594 break; 595 case TLS_DH_anon_WITH_AES_128_CBC_SHA: 596 cipher = "ADH-AES-128-SHA"; 597 break; 598 case TLS_RSA_WITH_AES_256_CBC_SHA: 599 cipher = "AES-256-SHA"; 600 break; 601 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: 602 cipher = "DHE-RSA-AES-256-SHA"; 603 break; 604 case TLS_DH_anon_WITH_AES_256_CBC_SHA: 605 cipher = "ADH-AES-256-SHA"; 606 break; 607 case TLS_RSA_WITH_AES_128_CBC_SHA256: 608 cipher = "AES-128-SHA256"; 609 break; 610 case TLS_RSA_WITH_AES_256_CBC_SHA256: 611 cipher = "AES-256-SHA256"; 612 break; 613 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 614 cipher = "DHE-RSA-AES-128-SHA256"; 615 break; 616 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 617 cipher = "DHE-RSA-AES-256-SHA256"; 618 break; 619 case TLS_DH_anon_WITH_AES_128_CBC_SHA256: 620 cipher = "ADH-AES-128-SHA256"; 621 break; 622 case TLS_DH_anon_WITH_AES_256_CBC_SHA256: 623 cipher = "ADH-AES-256-SHA256"; 624 break; 625 default: 626 return -1; 627 } 628 629 if (os_strlcpy(buf, cipher, buflen) >= buflen) 630 return -1; 631 return 0; 632} 633 634 635/** 636 * tlsv1_client_shutdown - Shutdown TLS connection 637 * @conn: TLSv1 client connection data from tlsv1_client_init() 638 * Returns: 0 on success, -1 on failure 639 */ 640int tlsv1_client_shutdown(struct tlsv1_client *conn) 641{ 642 conn->state = CLIENT_HELLO; 643 644 if (tls_verify_hash_init(&conn->verify) < 0) { 645 wpa_printf(MSG_DEBUG, "TLSv1: Failed to re-initialize verify " 646 "hash"); 647 return -1; 648 } 649 650 tlsv1_record_set_cipher_suite(&conn->rl, TLS_NULL_WITH_NULL_NULL); 651 tlsv1_record_change_write_cipher(&conn->rl); 652 tlsv1_record_change_read_cipher(&conn->rl); 653 654 conn->certificate_requested = 0; 655 crypto_public_key_free(conn->server_rsa_key); 656 conn->server_rsa_key = NULL; 657 conn->session_resumed = 0; 658 659 return 0; 660} 661 662 663/** 664 * tlsv1_client_resumed - Was session resumption used 665 * @conn: TLSv1 client connection data from tlsv1_client_init() 666 * Returns: 1 if current session used session resumption, 0 if not 667 */ 668int tlsv1_client_resumed(struct tlsv1_client *conn) 669{ 670 return !!conn->session_resumed; 671} 672 673 674/** 675 * tlsv1_client_hello_ext - Set TLS extension for ClientHello 676 * @conn: TLSv1 client connection data from tlsv1_client_init() 677 * @ext_type: Extension type 678 * @data: Extension payload (%NULL to remove extension) 679 * @data_len: Extension payload length 680 * Returns: 0 on success, -1 on failure 681 */ 682int tlsv1_client_hello_ext(struct tlsv1_client *conn, int ext_type, 683 const u8 *data, size_t data_len) 684{ 685 u8 *pos; 686 687 conn->session_ticket_included = 0; 688 os_free(conn->client_hello_ext); 689 conn->client_hello_ext = NULL; 690 conn->client_hello_ext_len = 0; 691 692 if (data == NULL || data_len == 0) 693 return 0; 694 695 pos = conn->client_hello_ext = os_malloc(4 + data_len); 696 if (pos == NULL) 697 return -1; 698 699 WPA_PUT_BE16(pos, ext_type); 700 pos += 2; 701 WPA_PUT_BE16(pos, data_len); 702 pos += 2; 703 os_memcpy(pos, data, data_len); 704 conn->client_hello_ext_len = 4 + data_len; 705 706 if (ext_type == TLS_EXT_PAC_OPAQUE) { 707 conn->session_ticket_included = 1; 708 wpa_printf(MSG_DEBUG, "TLSv1: Using session ticket"); 709 } 710 711 return 0; 712} 713 714 715/** 716 * tlsv1_client_get_random - Get random data from TLS connection 717 * @conn: TLSv1 client connection data from tlsv1_client_init() 718 * @keys: Structure of random data (filled on success) 719 * Returns: 0 on success, -1 on failure 720 */ 721int tlsv1_client_get_random(struct tlsv1_client *conn, struct tls_random *keys) 722{ 723 os_memset(keys, 0, sizeof(*keys)); 724 if (conn->state == CLIENT_HELLO) 725 return -1; 726 727 keys->client_random = conn->client_random; 728 keys->client_random_len = TLS_RANDOM_LEN; 729 730 if (conn->state != SERVER_HELLO) { 731 keys->server_random = conn->server_random; 732 keys->server_random_len = TLS_RANDOM_LEN; 733 } 734 735 return 0; 736} 737 738 739/** 740 * tlsv1_client_get_keyblock_size - Get TLS key_block size 741 * @conn: TLSv1 client connection data from tlsv1_client_init() 742 * Returns: Size of the key_block for the negotiated cipher suite or -1 on 743 * failure 744 */ 745int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn) 746{ 747 if (conn->state == CLIENT_HELLO || conn->state == SERVER_HELLO) 748 return -1; 749 750 return 2 * (conn->rl.hash_size + conn->rl.key_material_len + 751 conn->rl.iv_size); 752} 753 754 755/** 756 * tlsv1_client_set_cipher_list - Configure acceptable cipher suites 757 * @conn: TLSv1 client connection data from tlsv1_client_init() 758 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 759 * (TLS_CIPHER_*). 760 * Returns: 0 on success, -1 on failure 761 */ 762int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers) 763{ 764 size_t count; 765 u16 *suites; 766 767 /* TODO: implement proper configuration of cipher suites */ 768 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) { 769 count = 0; 770 suites = conn->cipher_suites; 771 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA256; 772 suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA; 773 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA256; 774 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 775 suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; 776 suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; 777 suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; 778 779 /* 780 * Cisco AP (at least 350 and 1200 series) local authentication 781 * server does not know how to search cipher suites from the 782 * list and seem to require that the last entry in the list is 783 * the one that it wants to use. However, TLS specification 784 * requires the list to be in the client preference order. As a 785 * workaround, add anon-DH AES-128-SHA1 again at the end of the 786 * list to allow the Cisco code to find it. 787 */ 788 suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; 789 conn->num_cipher_suites = count; 790 } 791 792 return 0; 793} 794 795 796/** 797 * tlsv1_client_set_cred - Set client credentials 798 * @conn: TLSv1 client connection data from tlsv1_client_init() 799 * @cred: Credentials from tlsv1_cred_alloc() 800 * Returns: 0 on success, -1 on failure 801 * 802 * On success, the client takes ownership of the credentials block and caller 803 * must not free it. On failure, caller is responsible for freeing the 804 * credential block. 805 */ 806int tlsv1_client_set_cred(struct tlsv1_client *conn, 807 struct tlsv1_credentials *cred) 808{ 809 tlsv1_cred_free(conn->cred); 810 conn->cred = cred; 811 return 0; 812} 813 814 815/** 816 * tlsv1_client_set_flags - Set connection flags 817 * @conn: TLSv1 client connection data from tlsv1_client_init() 818 * @flags: TLS_CONN_* bitfield 819 */ 820void tlsv1_client_set_flags(struct tlsv1_client *conn, unsigned int flags) 821{ 822 conn->flags = flags; 823} 824 825 826void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn, 827 tlsv1_client_session_ticket_cb cb, 828 void *ctx) 829{ 830 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback set %p (ctx %p)", 831 cb, ctx); 832 conn->session_ticket_cb = cb; 833 conn->session_ticket_cb_ctx = ctx; 834} 835 836 837void tlsv1_client_set_cb(struct tlsv1_client *conn, 838 void (*event_cb)(void *ctx, enum tls_event ev, 839 union tls_event_data *data), 840 void *cb_ctx, 841 int cert_in_cb) 842{ 843 conn->event_cb = event_cb; 844 conn->cb_ctx = cb_ctx; 845 conn->cert_in_cb = !!cert_in_cb; 846} 847 848 849int tlsv1_client_get_version(struct tlsv1_client *conn, char *buf, 850 size_t buflen) 851{ 852 if (!conn) 853 return -1; 854 switch (conn->rl.tls_version) { 855 case TLS_VERSION_1: 856 os_strlcpy(buf, "TLSv1", buflen); 857 break; 858 case TLS_VERSION_1_1: 859 os_strlcpy(buf, "TLSv1.1", buflen); 860 break; 861 case TLS_VERSION_1_2: 862 os_strlcpy(buf, "TLSv1.2", buflen); 863 break; 864 default: 865 return -1; 866 } 867 868 return 0; 869} 870